CVE-2024-10901: DB-GPT Arbitrary File Write vulnerability

March 20, 2025 (updated March 21, 2025)

In eosphoros-ai/db-gpt version v0.6.3 and earlier, the web API POST /api/v1/editor/chart/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim’s file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as __init__.py in the Python’s /site-packages/ directory.

References

github.com/advisories/GHSA-7gj6-22m4-qfhx
github.com/eosphoros-ai/DB-GPT
github.com/eosphoros-ai/DB-GPT/commit/295cdb8723663d5b0954d5d1dfb4f02b7223b8ff
github.com/eosphoros-ai/DB-GPT/pull/2269
huntr.com/bounties/db2c1d59-6e3a-4553-a1f6-94c8df162a18
nvd.nist.gov/vuln/detail/CVE-2024-10901

Code Behaviors & Features

Detect and mitigate CVE-2024-10901 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →